Researchers identified a vulnerability in the Google Admin application for Android that could have been exploited to read arbitrary files from the app’s sandbox. Google says it has released an update to patch the flaw.
The Google Admin application for Android is designed to allow administrators to manage their Google for Work accounts from their mobile devices. Admins of Google Apps for Work, Education, Google Coordinate, and Government can use the app to add and manage users, contact support, and view their organization’s audit logs.
Researchers at security firm MWR InfoSecurity discovered a medium severity vulnerability that allows malicious applications installed on the same device as Google Admin to bypass the Android sandbox and read data from any file within Admin’s sandbox.
“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,” MWR InfoSecurity wrote in an advisory published last week.
According to MWR, the flaw was reported to Google in mid-March. The company noted in its advisory that the search giant had not released an update to patch the vulnerability.
However, Google says it has released an update for Google Admin to address the flaw reported by MWR. The company is not aware of any attacks leveraging this security hole.
“We thank the researchers for flagging this to us. We have addressed the issue in the Google Admin app and the fix has been released. In order for this issue to occur, a malicious app would need to be installed on the device. As far as we know, no one has been affected,” a Google spokesperson told SecurityWeek.
Technical details on the vulnerability are available in MWR’s advisory.
Google announced in February that it has expanded its vulnerability reward program to mobile applications developed by the company.
As far as Android is concerned, numerous vulnerabilities have been uncovered in the mobile platform over the past months. The list includes several denial-of-service (DoS) bugs, and some critical issues such as the Stagefright vulnerabilities.
Related Reading: Samsung to Deliver Monthly Over the Air Security Updates for Android
Related Reading: Google to Issue Over The Air Updates to Nexus Devices

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
